Ashton Kutcher is best known as an actor and producer, but he is also a successful tech investor having taken stakes in companies such as Airbnb, Foursquare, Meerkat, Spotify and Uber.

During a general session at Intel Security's Focus 16 security conference he admitted it is easier to identify a strategy with the benefit of hindsight, but says you should "look for companies that are trying to do something that hasn't been done before, or to remove friction."

The problem is that such companies tend to strip away security in order to innovate more quickly. That doesn't mean older businesses are blameless when it comes to security, as their security measures were designed for different times and different issues - "Uber driver steps on dead frog" gets a headline, he joked, but the same incident involving a traditional taxi or hire car driver wouldn't.

But the new platforms do provide new security-related opportunities, he suggested, such as checking that the purported driver of a ride-hailing car really is the person behind the wheel, or verifying that a particular digital profile really is that of the individual offering to provide or purchase goods or services. (Kutcher didn't mention the company, but Australia-based Collaborate is addressing the latter point with its PeerPass identity verification service for peer-to-peer marketplaces.)

At a more technical level, Kutcher pointed to businesses such as Coronet (protection against wireless threats) and SentinelOne (detection of malicious activity with automatic rollback, which makes it especially relevant to the ransomware problem).

While new companies are focussed more on their product than on security, they typically take advantage of the security features offered by AWS or whichever cloud platform they are using.

Reaching midsize is "probably the most vulnerable point because you don't realise you're a target yet," he said, though that's when you need to take appropriate security measures. By the time you're regarded as a large company it is probably too late if you haven't already thought seriously about security.

No stranger to being the target of cyber-attacks, Kutcher warned attendees that "the fingers have to be just as protected as the heart." For example, because his personal assistant and other staff hold a lot of information about him, he expects them to use two-step verification.

Part of the problem is the battle between convenience and security: people will use their birthday as the code for their garage door opener, as their ATM PIN and so on. "When people get lazy these scenarios happen."

And there's also an underlying problem with cybersecurity in that "cultures and communities are built on fiction, whether that's in the form of religions, constitutions or other statements that people subscribe to, and we don't have an agreed fiction for the cyber arena.

The internet is "a new country, a new world" and "we don't know what the rules are yet." We are never going to be able to lock all the (virtual) doors, so we need to know the extent to which we can trust our neighbours.

We need a "global doctrine for cybersecurity," he suggested, something that sets out a basic "handshake agreement" and the sanctions for breaching the agreed rules. "We need to write this doctrine" so it represents the rules we want. If not, it will be written by idiots, he suggested, adding (to loud applause) "You don't want it to be written by people who don't even understand how the internet works."

Largely through the A-Grade Investments venture capital fund he co-founded, Kutcher has invested in well-known companies including Airbnb, Foursquare, Spotify and Uber.

Kutcher said he has invested in about 100 companies over eight years or so. About 20% of them have seen a "moonshot value increase" while around half have come out approximately even. According to reports, A-Grade's overall performance has been substantially above average.

Disclosure: The writer attended Focus 16 as a guest of Intel Security.

Copyright 2016 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.